Instructions on how to analyze the VX30 products for stolen code
by Ryan Thoryk (aka EventHorizon)
via DrunkenBlog
VX30 comes in 2 products, with 3 total executables. The products are VX30 Encoder and VX30 Live. VX30 Live has the Live executable and the Server executable. Since those files have been packed with ExeCryptor, the only way to view the strings inside them is to run them, and take memory dumps of the programs' memory spaces.
Also note that I have 2 recent versions of VX30, and a third but much older version from 2004. The 2 recent versions are almost identical, except that in the latest one MXS deleted the strings I found in the Encoder (but not the stolen code); luckily I still have the previous version.
First download the executables here (current version):
Here's the executables of the previous version:
and the 2004 versions (these are what now is the Encoder app):
VX30 Design3 (?) 4/16/04 build
Here's the method of making memory dumps for NT compatable systems (NT4/Win2k/WinXP):
1. Get the Windows Debugging tools from Microsoft:
http://www.microsoft.com/whdc/devtools/debugging/installx86.mspx
2. Run the VX30 app you want to test (don't exit it though)
3. Find the PID number of the app (run the Task Manager and find it there)
4. Run a DOS VDM console (start->run->cmd)
5. Run the WinDBG debugger, and make a memory dump with sensitive memory stripped by typing this (let's say the pid number is 2000 - you'll see the number 2000 twice below; change it with the app's pid):
"C:\Program Files\Debugging Tools for Windows\windbg.exe" -p 2000 -c ".dump /mcrR c:\new.dmp" -e 2000 -g
Then you'll get the app's code and other misc stuff into the c:\new.dmp file.
The Windbg command line options and ".dump" options are in the program's help file.
You'll see output similar to this.
6. Repeat the process for the next 2 executable files (and make sure you use a different output filename for each one)
7. Then, get a hex editor such as Hex Workshop and open up the dump files with it. You will find matches exactly like the ones below, and possibly even more:
Note - the older 2004 versions of VX30 are not packed, and do not require a memory dump to view the contents of the executables.
VX30 Live pictures (contains XviD code, MplayerC code, LAME code, Ogg Vorbis, and more)
VX30 Live Server pictures (contains strange stuff, and what seems to be a list of serial numbers - if those are registration serials, whoever made that app is extremely stupid)
VX30 Encoder pictures (MXS has tried to hide the strings in this new version of Encoder, but here's pictures of the previous version)
Old VX30 pictures (1/21/2004 version) (tons of LAME code, XviD code, mpg123 reference, reference to LAME's website, etc)